Campaigns
High-Velocity Intrusions: Storm-1175 Chains Zero-Day and N-Day Exploits in Global Medusa Ransomware Campaign

High-Velocity Intrusions: Storm-1175 Chains Zero-Day and N-Day Exploits in Global Medusa Ransomware Campaign

Medusaransomwarezero-dayvulnerabilitiesStorm-1175
A China-based threat actor known for deploying Medusa Ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Storm-1175CN

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

DETECTION


Detection ID

Detection Name

Description

DET0146

Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns

Detects adversary use of tools (del, cipher /w, SDelete, rm -rf, shred, dd) to recursively delete or overwrite files at scale. Covers Windows, Linux, macOS, IaaS, ESXi, and Containers. Correlates process creation, file deletion events, and syscall burst rates within a time window.

T1485 — Data Destruction

DET0249

Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes

Remote/API-driven container creation and start whose image is not on an allow-list, executed by a non-admin principal and/or with risky runtime attributes (--privileged, host namespaces, sensitive mounts). Correlates create → start → first network/process actions within a short time window.

T1610 — Deploy Container

DET0309

Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)

Adversary ships a tampered application or update: installer writes or replaces binaries; on first run spawns scripts/shells or unsigned DLLs and beacons to non-approved hosts. Correlates installer execution → file metadata changes → first-run children → outbound connections within 90 min. Covers Windows, Linux, macOS.

T1195.002 — Compromise Software Supply Chain

Observed Countries3

AU (506)
GB (250)
US (138)